phil/vps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
vps/docs/system-plan.md
service 1e1a528a5e Initial commit: VPS setup documentation 
Add comprehensive documentation for VPS setup and configuration including:
- Project instructions
- VPS1 starting point configuration
- VPS1 current state documentation
- VPS1 todo list

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-26 07:43:24 +01:00

7.5 KiB
Raw Permalink Blame History

VPS1 System Setup Plan

Overview

This document outlines the plan to configure vps1.phiiiil.de as a secure, Docker-based system running:

  • Immich - Photo management (already deployed with 37GB of photos)
  • Netbird - VPN management & reverse proxy (already deployed)
  • Gitea - Git hosting (to be deployed)

Current State Assessment

What's Working

  • All containers are healthy and running
  • Netbird is configured with Caddy reverse proxy
  • Immich has 37GB of photos stored
  • DNS: *.vps1.phiiiil.de redirects to the host
  • Docker Compose v5 installed
  • 900GB disk space available

Security Gaps Identified

  1. No firewall (UFW) installed
  2. No fail2ban for SSH protection
  3. No automated backup system
  4. Nextcloud has hardcoded passwords in compose file
  5. No container monitoring

Implementation Plan

Phase 1: Security Hardening

1.1 Install UFW Firewall

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (current connection)
sudo ufw allow 22/tcp comment 'SSH'

# Allow HTTP/HTTPS for Caddy
sudo ufw allow 80/tcp comment 'Caddy HTTP'
sudo ufw allow 443/tcp comment 'Caddy HTTPS'
sudo ufw allow 443/udp comment 'Caddy HTTP3/QUIC'

# Allow Immich direct access (optional, via Caddy recommended)
sudo ufw allow 2283/tcp comment 'Immich Web UI'

# Enable firewall
sudo ufw enable

1.2 Fail2ban for SSH Protection

# Install fail2ban
sudo apt update && sudo apt install -y fail2ban

# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Configure SSH protection
sudo tee -a /etc/fail2ban/jail.local > /dev/null <<EOF
[sshd]
enabled = true
port = 22
maxretry = 3
bantime = 3600
findtime = 600
EOF

sudo systemctl enable --now fail2ban

1.3 Secure Nextcloud Credentials

  • Move Nextcloud credentials to .env file
  • Use Docker secrets for sensitive data
  • Rotate MariaDB passwords

Phase 2: Gitea Deployment

2.1 Architecture Decisions

Questions for User:

  1. Database preference for Gitea?

    • SQLite (simple, single file)
    • PostgreSQL (better performance, can share with existing)
    • MariaDB (separate instance)

  2. Authentication integration?

    • Local accounts only
    • Integrate with Netbird/Zitadel OIDC

  3. Storage requirements?

    • Estimated repositories/users
    • LFS support needed?

2.2 Proposed Gitea Setup

Location: /home/phil/docker/gitea/

Domain: git.phiiiil.de (via Caddy reverse proxy)

Services:

  • Gitea application container
  • PostgreSQL database (separate or shared)
  • Caddy reverse proxy entry

Caddy Configuration Addition:

git.phiiiil.de {
    import security_headers
    reverse_proxy gitea:3000
}

Basic docker-compose.yml:

services:
  gitea:
    image: gitea/gitea:latest
    container_name: gitea
    restart: unless-stopped
    networks:
      - netbird_netbird
    ports:
      - "2222:22"  # SSH for git
    volumes:
      - gitea_data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - GITEA__server__DOMAIN=git.phiiiil.de
      - GITEA__server__ROOT_URL=https://git.phiiiil.de
      - GITEA__server__SSH_PORT=2222
      - GITEA__server__SSH_DOMAIN=git.phiiiil.de
    depends_on:
      - db

  db:
    image: postgres:16-alpine
    container_name: gitea-db
    restart: unless-stopped
    networks:
      - netbird_netbird
    volumes:
      - gitea_db_data:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=gitea
      - POSTGRES_USER=gitea
      - POSTGRES_PASSWORD=${DB_PASSWORD}

volumes:
  gitea_data:
  gitea_db_data:

networks:
  netbird_netbird:
    external: true

Phase 3: Backup Strategy

3.1 Backup Targets

  • Immich photos (37GB) - Critical
  • Immich database
  • Netbird configuration & data
  • Gitea repositories & database
  • Nextcloud data

3.2 Backup Solution Options

Option A: Restic + rclone

  • Incremental backups
  • Can backup to multiple destinations (S3, B2, local)
  • Built-in encryption
  • Automatic pruning

Option B: Duplicity

  • Classic solution
  • GPG encryption
  • Supports various backends

Option C: Custom rsync script

  • Simple
  • Full backups only
  • No built-in encryption

Recommended: Option A (Restic)

3.3 Proposed Backup Script

#!/bin/bash
# Backup script for VPS1

# Immich database
docker exec immich_postgres pg_dump -U postgres immich | gzip > /backup/immich-db-$(date +%Y%m%d).sql.gz

# Netbird management data
docker run --rm -v netbird_netbird_management:/data -v /backup:/backup alpine tar czf /backup/netbird-$(date +%Y%m%d).tar.gz /data

# Restic snapshots
restic -r rclone:backup:vps1 backup /home/phil/docker
restic -r rclone:backup:vps1 forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12

Phase 4: Monitoring

4.1 Container Monitoring

  • cAdvisor - Container metrics
  • Node Exporter - Host metrics
  • Grafana + Prometheus - Dashboards (optional)

4.2 Simple Monitoring (Recommended)

  • Docker health checks
  • Uptime monitoring via external service
  • Email alerts on container failures
  • Log aggregation with Loki (optional)

File Structure

/home/phil/docker/
├── netbird/           # Existing - VPN management
├── immich-app/        # Existing - Photo management
├── nextcloud/         # Existing - File storage
├── gitea/             # NEW - Git hosting
│   ├── docker-compose.yml
│   ├── .env
│   └── Caddy-snippet.conf
└── backup/            # NEW - Backup scripts
    ├── backup.sh
    ├── restore.sh
    └── restic/

Caddy Unified Configuration

Update /home/phil/docker/netbird/Caddyfile to handle all services:

{
  debug
  servers :80,:443 {
    protocols h1 h2c h2 h3
  }
}

(security_headers) {
    header * {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        X-XSS-Protection "1; mode=block"
        -Server
        Referrer-Policy strict-origin-when-cross-origin
    }
}

# Netbird Dashboard & API
nb.phiiiil.de, vps1.phiiiil.de {
    import security_headers
    # ... existing netbird routes ...
}

# Immich
immich.phiiiil.de {
    import security_headers
    reverse_proxy immich_server:2283
}

# Gitea
git.phiiiil.de {
    import security_headers
    reverse_proxy gitea:3000
}

# Nextcloud
nc.phiiiil.de {
    # ... existing nextcloud config ...
}

Implementation Order

  1. COMPLETED: VPS Analysis
  2. COMPLETED: Documentation created
  3. NEXT: User approval of plan
  4. TODO: Security hardening (UFW, fail2ban)
  5. TODO: Gitea deployment (after user decisions)
  6. TODO: Backup system setup
  7. TODO: Monitoring setup
  8. TODO: Final documentation update

Questions for User

Before proceeding with Gitea deployment:

  1. Database for Gitea: SQLite (simpler) or PostgreSQL (better)?
  2. Authentication: Local accounts or integrate with Netbird OIDC?
  3. Git SSH access: Use port 2222 or different port?
  4. Backup destination: Where should backups be stored?
  5. Monitoring level: Basic (health checks) or full (Grafana dashboards)?

Risk Assessment

Risk Impact Mitigation
Immich data loss CRITICAL Automated backups before any changes
Container downtime Medium Rollback procedures documented
Security breach HIGH UFW, fail2ban, regular updates
Disk space exhaustion Medium Monitor usage (900GB free)
DNS configuration issues Low Test DNS before service deployment
Reference in New Issue View Git Blame Copy Permalink